File Sharing Difficulties Frustrate Tiger Admins

rmallico wrote in to mention a story currently running on Eweek about technical difficulties sites running Tiger are experiencing. From the article: "A number of sites running Apple's new 'Tiger' operating system are experiencing problems with SMB file sharing and authentication with Microsoft's Active Directory, Ziff Davis Internet News has learned. Although Apple Computer Inc.'s Tiger increases support for Server Message Block file sharing and Active Directory, several sources say that the Finder fails to log on to Windows and Linux Samba file servers."

Re:Oh, right, error code -36!

[FidelCatsro]

Its actualy very usefull if you have a list of the error codes and what they mean.
http://www.appleerrorcodes.com/

Work-around

[Noksagt]

Easy workaround:
Command-K to bring up the connect menu and type in the full address INCLUDING THE SHARE NAME:

smb://SERVER/folder

Re:Work-around

[Noksagt]

Also note that you can also do it on the CLI. Open up term and do a:
$ mount_smbfs -W workgroup //user@SERVER/folder ./mntpoint

Anecdotal...

[Shag]

One friend indicated that things refused to work in plaintext-password mode, but once he turned on encrypted passwords, they worked fine.

I'm not sure whether he had to turn on the encrypted passwords at the Mac end or the PC end, but I seem to recall thinking "gosh, imagine that, doing something the secure way."

Not sure if it's this...

[mferrare]

I had a problem with 10.3 authenticating to a W2k3 AD server and mounting shares. Turned out I had to modify the Domain Controller Security Policy on the server and set Microsoft Network Server: Digitally Sign Communications (always) to Disabled. I am now running 10.4 and I have no problems connecting to this w2k3 server.

I got this solution from here by the way. Thanks to Drew McLelland.

I fixed my problems

[mr_zorg_mobile]

I had this problem too after upgrading. I found that deleting my SMB keychain entries solved it allowed me to login again (after getting my admin to unlock my account from all those failed attempts).

Re:Samba supports it

[spauldo]

The admin's wrong. Samba can do it now, although in all fairness it took a while after active directory was released for it to be able to work with it well. He's probably just basing that on old information.

As far as the protocol, SMB is (IIRC, I could be wrong) an IBM-designed protocol. It's been around for ages - hell, NT domains were just hopped up lan manager networks. The authentication in active directory uses a slightly modified form of kerberos - also an open protocol. They have tried to put a few legal barriers in the way, but those have been mostly ineffective.

Now, there is another possibility - it might be against policy at your university for non-windows machines to authenticate. If it's set up so that all machines have to be added to the tree by an admin, it's certainly enforcable, and thus your admin would be right in that particular case. He's just not right in the general case.

Re:Samba supports it

[CowbertPrime]

hi. AD is just LDAP with some extra cruft/bloat/stuff added; which is mostly documented anyway. Your IT department is clueless. You can also fall back to kerberos (which despite the FUD, interoperates with the majority of MIT Kerberos V implementations), if you did not have a functional (Open)LDAP infrastructure.

Re:Oh, right, error code -36!

[FidelCatsro]

More info can be obtained from console.app in the Utilities directory under Applications(/Applications/utilities , or just go through the system logs from the terminal , but console.app is a rather nice time saver), its just a colection of the systems logs but its rather usefull and searchable .
It does give a more detailed output. for example when i try to connect to my existant SMB share it gives me

May 7 11:32:53 Xcomp kernel[0]: netsmb_dev: loaded
May 7 11:32:53 xcomp[0]: netsmb_dev: loaded
May 7 11:35:39 xcomp[0]: smbfs_aclsflunksniff: user sid S-1-5-21-2466424394-2119469220-2469460652-2002 didnt map

I would have given an example of the error output from the specific problem , but i am doing some work on the linux comp that runs my nfs and samba shares right now .

History of SMB problems with OS X

[tyagiUK]

I first started using OS X in the early days of 10.2 (yes, a relative latecomer). This was when my wife bought an iBook (after some *ahem* guidance... read encouragement) for studies she was undertaking. When she wasn't working on it, I got to play and set to work integrating it with our home network.

The pain I had getting SMB to perform acceptably under 10.2 nearly put me off OS X. Basically, the way that 10.2 handled mounting network filesystems really sucked. It was unreliable and often left the system hanging with a spinning beachball (the Mac equivalent of an egg timer). Often, powering off was the only solution.

This was fortunately fixed later on in the 10.2 lifecycle with some networking updates. Things got much better from then on.

When I got my own iBook several months later, it arrived with 10.3. This release seemed to have a reasonably good SMB implementation, but the performance was truly sucky. File transfer speeds between the iBooks and my Linux-based Samba server were low, but at least mounting was reliable.

As 10.3 progressed, this problem went away and performance/reliability are currently both very good. It means I can use SMB between my Linux server and both iBook and Windows XP clients. All works just fine.

I am, however, considering a move to WebDAV for file sharing on the network. WebDAV is a nicely lightweight protocol and has the benefit of being an open standard. Most good implementations are open source too. There are also client libraries for most decent scripting/programming languages. The added benefit is that you can integrate the WebDAV server in to OS X to perform iSync backups of your system and do calendar sharing etc. All nice, geeky, stuff.

The only major problem I can see at the moment is that the way the WebDAV server interacts with the underlying filesystem is a bit complex, given that my server runs under Apache. The model it appears to assume is that the server will have a dedicated directory or area for WebDAV files, and not simply share out a user's home directory or a backup drive.

I do need to go and RTFM, however.

Re:Oh, right, error code -36!

[As+Seen+On+TV]

Actually what the spinning cursor icon means is that the program that has focus has events waiting to be processed by the run loop. That cursor appears automatically when an event waits for longer than a hard-coded threshold ... I think it's three seconds, but I doubt myself and I don't feel like looking it up right now. It would usually happen when the process was waiting for a kernel lock for some reason, usually disk or network I/O. The incidence in Tiger should drop dramatically thanks to finer-grained kernel locking.

Admittedly this is an esoteric implementation detail. It's not really meant to communicate anything to the user other than "I'm waiting."

So far I'm having the opposite experience

[NtroP]

With 10.2 and Panther, getting client to successfully bind and work with Active Directory to something akin to VooDoo and several other flavors of black magic. That being said, when we did a thorough audit and clean up of Active Directory (Sites and Services, DNS, etc.) most of the problems disappeared, but there were often little things we did to increase our odds of things working smoothly.

The other day a colleague of mine installed Tiger on his laptop (he never had it bound before, just connected to whatever shares with Cmd-K, etc.). He asked about using his AD credentials to log on. I told him "Sure, we just need to bind it to AD, do a few tweaks and anyone with an AD account could log in, just like Windows." Meanwhile, I was mentally crossing my fingers that there wouldn't be any new tweaks that needed to be learned.

So I pointed him to Utilities/Directory Access and had him click the Active Directory option, put in his domain (this is where I would usually start my VooDoo dances with the "advanced" options -- but I thought, "what the hell, lets give it a shot") click on Bind. It asked for a domain admin account, which I entered, and it bound without a hitch (I about fainted). I had him reboot (just to make sure) and then had him log in with his AD account. I worked beautifully, including mounting his home directory off our Win2K server. This had NEVER worked without tweaking for us under panther (although with a little tweaking under 10.2.8+ it worked fine). We transfered files, which went smoothly and quickly, and we looked around the network a bit.

Although I haven't thoroughly tested it yet, I'd say my initial experience with Tiger and SMB/AD has been great. That being said, MOST of our problems with Macs using our AD domain has been Windows-related (missing DNS entries, Sites-and-Services borked, or WINS not working/configured right, etc). Hearing about problems like this after a major change doesn't exactly surprise me, and I'm willing to cut Apple a bit of slack here. They are dealing with a reverse-engeneered protocol on networks where it is very likely that AD isn't in pristine or "best-practices" condition.

We have 35 sites using AD right now in our domain, and the migration from NT4 to Win2K/AD was a learning experience, to say the least. We've learned a lot in the process and, we've found that if you mess up something in AD in the beginning, it's damn near impossible to cleanly remove or fix it. I suspect that there are a lot of installations out there that still have AD ghosts hanging around that make 3rd-party integration a crap-shoot at best. What apple needs to work on is improving their tolerance for broken AD implementations, like windows does.

Of course, if MS would publish the full SMB/AD protocol it would be easier.